Detecting hidden enemy lines in IP address space

  • Authors:

  • Suhas Mathur;Baris Coskun;Suhrid Balakrishnan

  • Affiliations:

  • AT&T Security Research Center, New York, NY, USA;AT&T Security Research Center, New York, NY, USA;AT&T Labs Research, Florham Park, NJ, USA

  • Venue:
  • Proceedings of the 2013 workshop on New security paradigms workshop
  • Year:
  • 2013

Quantified Score

Hi-index 0.00

Visualization

Abstract

If an outbound flow is observed at the boundary of a protected network, destined to an IP address within a few addresses of a known malicious IP address, should it be considered a suspicious flow? Conventional blacklisting is not going to cut it in this situation, and the established fact that malicious IP addresses tend to be highly clustered in certain portions of IP address space, should indeed raise suspicions. We present a new approach for perimeter defense that addresses this concern. At the heart of our approach, we attempt to infer internal, hidden boundaries in IP address space, that lie within publicly known boundaries of registered IP netblocks. Our hypothesis is that given a known bad IP address, other IP address in the same internal contiguous block are likely to share similar security properties, and may therefore be vulnerable to being similarly hacked and used by attackers in the future. In this paper, we describe how we infer hidden internal boundaries in IPv4 netblocks, and what effect this has on being able to predict malicious IP addresses.